-
Notifications
You must be signed in to change notification settings - Fork 409
Security Development Documention
The sandbox run over Debian stable and unattended-upgrades is used to keep the OS up to date allowing reboot if needed at 2:00.
We also have Jenkins jobs which check for dependency vulnerabilities 🕵️ .
For Security concerning Leshan Library, see our Security Policy 📜 .
Eclipse foundation provides upguard tooling to enforce sandbox security. (login at https://cyber-risk.upguard.com/)
The sandbox does not handle any sensitive data or doesn't have any specific right or privilege to access to eclipse foundation resource.
Here some tools used to check configuration of Leshan sandbox hosted at https://leshan.eclipseprojects.io to try to follow security standard.
Tools | Score | Links | Comments |
---|---|---|---|
Mozilla Observatory | ✔️ A+ (06 Nov 2024 ) |
https://observatory.mozilla.org/analyze/leshan.eclipseprojects.io | |
SSL Labs | ✔️ A+ (06 Nov 2024) | https://www.ssllabs.com/ssltest/analyze?d=leshan.eclipseprojects.io | |
Security Headers | ✔️ A (06 Nov 2024) | https://securityheaders.com/?q=https%3A%2F%2Fleshan.eclipseprojects.io%2F | There is a shields.io badge for it but there is currently an issue with it securityheaders-bugs#110. |
Immuniweb SSL Tests | ✔️ A+ (06 Nov 2024) | https://www.immuniweb.com/ssl/leshan.eclipseprojects.io/EnXfNTsb/ | |
Immuniweb Website Tests | ❌ C (06 Nov 2024) | https://www.immuniweb.com/websec/leshan.eclipseprojects.io/dJuBr5PI/ | Mainly because we are using Vue 2.7.16 with no more update ... see need to work on it #1665 |
Here is a list of possible improvements :
Criticity | Improvement | Component | Comments |
---|---|---|---|
❌ | Move to Vue3 | Leshan Server Demo (code) | Not so easy task ... |
Use DNS CAA | DNS configuration | Up to eclipse foundation to fix it | |
CSP remove 'unsafe-eval' | Leshan Server Demo + Sandbox Apache config | We need to investigate but should be done after vue3 migration. | |
Activate OCSP STAPLING | Sandbox Apache Config | If possible we should activate it | |
ℹ️ | Server does not have cipher preference | Sandbox Apache Config | Current SSL config is generated from moz://a SSL Configuration Generator:intermediate and SSLHonorCipherOrder is off , so we don't know if we should follow that advice and set it to on ? |
ℹ️ | HSTS Preload | Sanbox Apache Config | We should probably activate it. |
ℹ️ | X-XSS-Protection | Sandbox Apache Config | This is deprecated should we remove it ? |
ℹ️ | No Web application firewall | Sandbox Apache Config | We don't know if we need to configure that kind of tool ? Overkill for our usecase ? |
ℹ️ | Privacy Policy (GPDR) | ? | We don't know really how to fix, is there a standard way to expose this kind of policy ? |
ℹ️ | TLS 1.3 EARLY DATA (0-RTT) | Sandbox | We need to investigate. |
ℹ️ | Extended Validation (EV) certificate | Sandbox | We think we don't need that... |
All contributions you make to our web site (including this wiki) are governed by our Terms of Use, so please take the time to actually read it. Your interactions with the Eclipse Foundation web properties and any information you may provide us about yourself are governed by our Privacy Policy.